Search code examples
httpsssl-certificateacme

Why can't write certificate.crt with acme?

root@vultr:~# systemctl  status  nginx
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-07-28 02:16:44 UTC; 23min ago
     Docs: man:nginx(8)
 Main PID: 12999 (nginx)
    Tasks: 2 (limit: 1148)
   Memory: 8.2M
   CGroup: /system.slice/nginx.service
           ├─12999 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           └─13000 nginx: worker process

Jul 28 02:16:44 vultr.guest systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 28 02:16:44 vultr.guest systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Jul 28 02:16:44 vultr.guest systemd[1]: Started A high performance web server and a reverse proxy server.

The nginx is in good status.
I want to create and write certificate.crt with acme:

sudo su -l -s /bin/bash acme
curl  https://get.acme.sh | sh
export CF_Key="xxxx"
export CF_Email="[email protected]"

CF_Key is my global api key in cloudflare,CF_Email is the register email to login cloudflare.

acme@vultr:~$ acme.sh --issue --dns dns_cf -d  domain.com --debug 2

The output content is so long that i can't post here,so i upload into the termbin.com ,we share the link below:

https://termbin.com/taxl

Please open the webpage,you can get the whole output info,and check which result in error,there are two main issues:
1.My nginx server is in good status,acme.sh can't detect it.
2.How can set the config file?

[Wed Jul 28 03:04:38 UTC 2021] config file is empty, can not read CA_EAB_KEY_ID
[Wed Jul 28 03:04:38 UTC 2021] config file is empty, can not read CA_EAB_HMAC_KEY
[Wed Jul 28 03:04:38 UTC 2021] config file is empty, can not read CA_EMAIL

To write key into specified directory:

acme.sh --install-cert -d domain.com     
        --key-file /usr/local/etc/certfiles/private.key     
        --fullchain-file /usr/local/etc/certfiles/certificate.crt

It encounter problem:

[Tue Jul 27 01:12:15 UTC 2021] Installing key to:/usr/local/etc/certfiles/private.key
cat: /home/acme/.acme.sh/domain.com/domain.com.key: No such file or directory

To check files in /usr/local/etc/certfiles/

ls  /usr/local/etc/certfiles/
private.key

No certificate.crt in /usr/local/etc/certfiles/.
How to fix then?

Solution

  • From acme.sh v3.0.0, acme.sh is using Zerossl as default ca, you must register the account first(one-time) before you can issue new certs.

    Here is how ZeroSSL compares with LetsEncrypt.

    With ZeroSSL as CA

    You must register at ZeroSSL before issuing a certificate. To register run the below command (assuming [email protected] is email with which you want to register)

    acme.sh --register-account -m [email protected]

    Now you can issue a new certificate (assuming you have set CF_Key & CF_Email or CF_Token & CF_Account_ID)

    acme.sh --issue --dns dns_cf -d  domain.com

    Without ZeroSSL as CA

    If you don't want to use ZeroSSL and say want to use LetsEncrypt instead, then you can provide the server option to issue a certificate

     acme.sh --issue --dns dns_cf -d  domain.com --server letsencrypt

    Here are more options for the CA server.